From 6956e5c96ec2e28ec34f2d072a66c38503cb3bfa Mon Sep 17 00:00:00 2001
From: Benni Mack <benni@typo3.org>
Date: Wed, 7 Oct 2020 13:22:16 +0200
Subject: [PATCH] [!!!][TASK] Drop functionality of including hidden fe_groups
 via Admin Panel

AdminPanel's feature to include hidden records, also included fe_groups,
which allowed to preview fe_groups which are marked as "hidden".

This feature has been removed as frontend groups need to be visible
in order to be previewed.

Resolves: #92499
Releases: master
Change-Id: Ic48b34a07b008e99d985569f2932979cdb08540a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66069
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
---
 .../Repositories/FrontendGroupsRepository.php |  9 ----
 .../AbstractUserAuthentication.php            |  6 ---
 .../Authentication/AuthenticationService.php  |  7 ---
 ...DoesNotPreviewHiddenFrontendUserGroups.rst | 44 +++++++++++++++++++
 .../TypoScriptFrontendController.php          |  2 -
 .../Php/PropertyPublicMatcher.php             |  5 +++
 6 files changed, 49 insertions(+), 24 deletions(-)
 create mode 100644 typo3/sysext/core/Documentation/Changelog/master/Breaking-92499-AdminPanelDoesNotPreviewHiddenFrontendUserGroups.rst

diff --git a/typo3/sysext/adminpanel/Classes/Repositories/FrontendGroupsRepository.php b/typo3/sysext/adminpanel/Classes/Repositories/FrontendGroupsRepository.php
index 395a84ce8dfc..2b2b12569e5a 100644
--- a/typo3/sysext/adminpanel/Classes/Repositories/FrontendGroupsRepository.php
+++ b/typo3/sysext/adminpanel/Classes/Repositories/FrontendGroupsRepository.php
@@ -19,7 +19,6 @@ namespace TYPO3\CMS\Adminpanel\Repositories;
 
 use TYPO3\CMS\Backend\FrontendBackendUserAuthentication;
 use TYPO3\CMS\Core\Database\ConnectionPool;
-use TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
 use TYPO3\CMS\Core\Type\Bitmask\Permission;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
@@ -58,10 +57,6 @@ class FrontendGroupsRepository
         $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
             ->getQueryBuilderForTable('fe_groups');
 
-        $queryBuilder->getRestrictions()
-            ->removeAll()
-            ->add(GeneralUtility::makeInstance(DeletedRestriction::class));
-
         $optionCount = $queryBuilder->count('fe_groups.uid')
             ->from('fe_groups', 'fe_groups')
             ->innerJoin(
@@ -90,10 +85,6 @@ class FrontendGroupsRepository
         $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
             ->getQueryBuilderForTable('fe_groups');
 
-        $queryBuilder->getRestrictions()
-            ->removeAll()
-            ->add(GeneralUtility::makeInstance(DeletedRestriction::class));
-
         return $queryBuilder->select('fe_groups.uid', 'fe_groups.title')
             ->from('fe_groups')
             ->innerJoin(
diff --git a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
index 948e5440c8d7..427c3e2d1291 100644
--- a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
@@ -114,11 +114,6 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
         'deleted' => '',
     ];
 
-    /**
-     * @var bool
-     */
-    public $showHiddenRecords = false;
-
     /**
      * Form field with login-name
      * @var string
@@ -1306,7 +1301,6 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
         $authInfo['HTTP_HOST'] = GeneralUtility::getIndpEnv('HTTP_HOST');
         $authInfo['REMOTE_ADDR'] = GeneralUtility::getIndpEnv('REMOTE_ADDR');
         $authInfo['REMOTE_HOST'] = GeneralUtility::getIndpEnv('REMOTE_HOST');
-        $authInfo['showHiddenRecords'] = $this->showHiddenRecords;
         // Can be overridden in localconf by SVCONF:
         $authInfo['db_user']['table'] = $this->user_table;
         $authInfo['db_user']['userid_column'] = $this->userid_column;
diff --git a/typo3/sysext/core/Classes/Authentication/AuthenticationService.php b/typo3/sysext/core/Classes/Authentication/AuthenticationService.php
index 6f757381364f..5d5e0175477d 100644
--- a/typo3/sysext/core/Classes/Authentication/AuthenticationService.php
+++ b/typo3/sysext/core/Classes/Authentication/AuthenticationService.php
@@ -19,7 +19,6 @@ use TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException;
 use TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
 use TYPO3\CMS\Core\Database\Connection;
 use TYPO3\CMS\Core\Database\ConnectionPool;
-use TYPO3\CMS\Core\Database\Query\Restriction\HiddenRestriction;
 use TYPO3\CMS\Core\SysLog\Action\Login as SystemLogLoginAction;
 use TYPO3\CMS\Core\SysLog\Error as SystemLogErrorClassification;
 use TYPO3\CMS\Core\SysLog\Type as SystemLogType;
@@ -199,9 +198,6 @@ class AuthenticationService extends AbstractAuthenticationService
                 $this->logger->debug('Get usergroups with id: ' . implode(',', $groups));
                 $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
                     ->getQueryBuilderForTable($this->db_groups['table']);
-                if (!empty($this->authInfo['showHiddenRecords'])) {
-                    $queryBuilder->getRestrictions()->removeByType(HiddenRestriction::class);
-                }
 
                 $res = $queryBuilder->select('*')
                     ->from($this->db_groups['table'])
@@ -237,9 +233,6 @@ class AuthenticationService extends AbstractAuthenticationService
     {
         // Fetching records of the groups in $grList:
         $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('fe_groups');
-        if (!empty($this->authInfo['showHiddenRecords'])) {
-            $queryBuilder->getRestrictions()->removeByType(HiddenRestriction::class);
-        }
 
         $res = $queryBuilder
             ->select('uid', 'subgroup')
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Breaking-92499-AdminPanelDoesNotPreviewHiddenFrontendUserGroups.rst b/typo3/sysext/core/Documentation/Changelog/master/Breaking-92499-AdminPanelDoesNotPreviewHiddenFrontendUserGroups.rst
new file mode 100644
index 000000000000..85e8f1464e6b
--- /dev/null
+++ b/typo3/sysext/core/Documentation/Changelog/master/Breaking-92499-AdminPanelDoesNotPreviewHiddenFrontendUserGroups.rst
@@ -0,0 +1,44 @@
+.. include:: ../../Includes.txt
+
+==========================================================================
+Breaking: #92499 - AdminPanel does not preview hidden Frontend User Groups
+==========================================================================
+
+See :issue:`92499`
+
+Description
+===========
+
+Admin Panel previously allowed to also render a page with frontend groups that
+were hidden / disabled. This feature has been removed,
+in order to ensure consistency for the authentication process.
+
+The AbstractUserAuthentication property `showHiddenRecords` which
+was used to transfer this information is removed.
+
+
+Impact
+======
+
+The Admin Panel selector now only shows a list of non-hidden groups
+to simulate from.
+
+Using the removed PHP property `showHiddenRecords` will result
+in a PHP notice.
+
+
+Affected Installations
+======================
+
+TYPO3 installations with Admin Panel activated and Frontend Groups
+that are disabled.
+
+
+Migration
+=========
+
+It is recommended to include groups where no user is assigned to
+for simulation purposes, if this feature is needed to preview
+content.
+
+.. index:: Frontend, ext:adminpanel, FullyScanned
diff --git a/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php b/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
index 927ccdee2840..3f169441db9a 100644
--- a/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
+++ b/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
@@ -658,8 +658,6 @@ class TypoScriptFrontendController implements LoggerAwareInterface
     public function initUserGroups()
     {
         $userGroups = [0];
-        // This affects the hidden-flag selecting the fe_groups for the user!
-        $this->fe_user->showHiddenRecords = $this->context->getPropertyFromAspect('visibility', 'includeHiddenContent', false);
         // no matter if we have an active user we try to fetch matching groups which can be set without an user (simulation for instance!)
         $this->fe_user->fetchGroupData();
         $isUserAndGroupSet = is_array($this->fe_user->user) && !empty($this->fe_user->groupData['uid']);
diff --git a/typo3/sysext/install/Configuration/ExtensionScanner/Php/PropertyPublicMatcher.php b/typo3/sysext/install/Configuration/ExtensionScanner/Php/PropertyPublicMatcher.php
index 25bd51e54186..6c6e8e19f402 100644
--- a/typo3/sysext/install/Configuration/ExtensionScanner/Php/PropertyPublicMatcher.php
+++ b/typo3/sysext/install/Configuration/ExtensionScanner/Php/PropertyPublicMatcher.php
@@ -690,4 +690,9 @@ return [
             'Breaking-91563-PHP-basedJSCSSInclusionsForFrontendRemoved.rst'
         ],
     ],
+    'TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->showHiddenRecords' => [
+        'restFiles' => [
+            'Breaking-92499-AdminPanelDoesNotPreviewHiddenFrontendUserGroups.rst'
+        ],
+    ],
 ];
-- 
GitLab